# Secure computation system, secure computation apparatus, secure computation method, and recording medium

Pi and P+ have stored a+∈{a0, a1, a2} and b+∈{b0, b1, b2} therein, and Pi and P− have stored a−∈A− and b−∈B− therein. Here, P+−P(i+1)mod 3, P−=P(i−1)mod 3, and a and b are arbitrary values and satisfy a=a0+a1+a2 and b=b0+b1+b2, where A− is a complement of a+ in {a0, a1, a2} and B− is a complement of b+ in {b0, b1, b2}. Pi and P+ share r+, Pi and P− share r−, and Pi calculates c+=(a++a−)(b++b−)−a−b−+r+−r−. Pi sends c+ to P+.

## Latest NIPPON TELEGRAPH AND TELEPHONE CORPORATION Patents:

- Monitoring device
- Sound collection loudspeaker apparatus, method and program for the same
- Terminal device, key distribution management device, server-client system, communication method, and programs
- Wireless communication system, relay communication device and communication control method
- Image generation device, image generation method, and program

**Description**

**TECHNICAL FIELD**

The present invention relates to the field of cryptographic techniques, and more particularly to the field of secure computation techniques.

**BACKGROUND ART**

In some schemes, values are exchanged among multiple secure computation apparatuses and each secure computation apparatus performs secure computation such as secure multiplication or secure multiply-accumulate using values received from other secure computation apparatuses (see Patent Literature 1, for instance).

**PRIOR ART LITERATURE**

**Patent Literature**

Patent Literature 1: Japanese Registered Patent No. 6006842

**SUMMARY OF THE INVENTION**

**Problems to be Solved by the Invention**

The scheme described in Patent Literature 1, however, has the disadvantage of involving a large number of additions/subtractions and multiplications and a large number of memory accesses.

An object of the present invention is to provide techniques for performing secure multiplication or secure multiply-accumulate with a less number of additions/subtractions and multiplications and a less number of memory accesses than conventional techniques.

**Means to Solve the Problems**

The secure multiplication according to the present invention is performed in the following manner. A storage of a secure computation apparatus P_{i }and a storage of a secure computation apparatus P_{+} have stored therein subshares a_{+}∈{a_{0}, a_{1}, a_{2}} and b_{+}∈{b_{0}, b_{1}, b_{2}}, and the storage of the secure computation apparatus P_{i }and a storage of a secure computation apparatus P_{−} have stored therein subshares a_{−}∈A_{−} and b_{−}∈B_{−}. Here, i∈{0, 1, 2} holds; P_{+} is P_{(i+1)mod 3}; P_{−} is P_{(i−1)mod 3}; a and b are arbitrary values; a_{0}, a_{1}, and a_{2 }are subshares satisfying a=a_{0}+a_{1}+a_{2}; b_{0}, b_{1}, and b_{2 }are subshares satisfying b=b_{0}+b_{1}+b_{2}; A_{−} is a complement of a_{+} in {a_{0}, a_{1}, a_{2}}; and a is a complement of b_{+} in {b_{0}, b_{1}, b_{2}}. A sharing unit of the secure computation apparatus P_{i }and a sharing unit of the secure computation apparatus P_{+} share an arbitrary value r_{+}, and the sharing unit of the secure computation apparatus P_{i }and a sharing unit of the secure computation apparatus P_{−} share an arbitrary value r_{−}, and an arithmetic unit of the secure computation apparatus P_{i }calculates c_{+}=(a_{+}+a_{−})(b_{+}+b_{−})−a_{−}b_{−}+r_{+}−r_{−}. An output unit of each secure computation apparatus P_{i }outputs c_{+} to the secure computation apparatus P_{+}, and c_{+} is input to an input unit of the secure computation apparatus P_{+}.

The secure multiply-accumulate according to the present invention is performed in the following manner. A storage of a secure computation apparatus P_{i }and a storage of a secure computation apparatus P_{+} have stored therein subshares a_{+}(n)∈{a_{0}(n), a_{1}(n), a_{2}(n)} and b_{+}(n)∈{b_{0}(n), b_{1}(n), b_{2}(n)}, and the storage of the secure computation apparatus P_{i }and a storage of a secure computation apparatus P_{−} have stored therein subshares a_{−}(n)∈A_{−}(n) and b_{−}(n)∈B_{−}(n). Here, i∈{0, 1, 2} holds; P_{+} is P_{(i+1)mod 3}; P_{−} is P_{(i−1)mod 3}; a(n) and b(n) are arbitrary values; a_{0}(n), a_{1}(n), and a_{2}(n) are subshares satisfying a(n)=a_{0}(n)+a_{1}(n)+a_{2}(n); b_{0}(n), b_{1}(n), and b_{2}(n) are subshares satisfying b(n)=b_{0}(n)+b_{1}(n)+b_{2}(n); N is a positive integer, where n=0, . . . , N−1; A_{−}(n) is a complement of a_{+}(n) in {a_{0}(n), a_{1}(n), a_{2}(n)}; and B_{−}(n) is a complement of b_{+}(n) in {b_{0}(n), b_{1}(n), b_{2}(n)}. A sharing unit of the secure computation apparatus P_{i }and a sharing unit of the secure computation apparatus P_{+} share an arbitrary value r_{+}, the sharing unit of the secure computation apparatus P_{i }and a sharing unit of the secure computation apparatus P_{−} share an arbitrary value r_{−}, and an arithmetic unit of the secure computation apparatus P_{i }calculates:

*c*_{+}=Σ_{n=0}^{N-1}{(*a*_{+}(*n*)+*a*_{−}(*n*))(*b*_{+}(*n*)+*b*_{−}(*n*))−*a*_{−}(*n*)*b*_{−}(*n*)+*r*_{+}*−r*_{−}}

Each secure computation apparatus P_{i }outputs c_{+} to the secure computation apparatus P_{+}, and c_{+} is input to an input unit of the secure computation apparatus P_{+}.

**Effects of the Invention**

This allows secure multiplication or secure multiply-accumulate to be performed with a less number of additions/subtractions and multiplications and a less number of memory accesses compared to conventional techniques.

**BRIEF DESCRIPTION OF THE DRAWINGS**

**DETAILED DESCRIPTION OF THE EMBODIMENTS**

Embodiments of the present invention are described below using the drawings.

**First Embodiment**

In a first embodiment, multiplication ab∈F of arbitrary values a, b∈F is performed by secure computation (secure multiplication). Here, F represents a finite field. This secure multiplication obtains secret sharing values of a multiplication result ab from secret sharing values (shares) of the arbitrary value a and secret sharing values of the arbitrary value b. This is described in detail below.

<Configuration>

As illustrated in **1** of this embodiment includes three secure computation apparatuses **11**-P_{0}, **11**-P_{1}, **11**-P_{2 }(secure computation apparatuses P_{0}, P_{1}, P_{2}). The secure computation apparatuses **11**-P_{0}, **11**-P_{1}, **11**-P_{2 }are configured to be able to communicate over a communication network, such as the Internet. As illustrated in **11**-P (where PE {P_{0}, P_{1}, P_{2}}) of this embodiment includes a storage **111**-P (storage and memory), an arithmetic unit **112**-P, a control unit **113**-P, a sharing unit **114**-P, and a communication unit **115**-P. The secure computation apparatus **11**-P executes various kinds of processing under control of the control unit **113**-P and data resulting from the processing is sequentially stored in the storage **111**-P and read out where necessary.

<Preliminary Processing>

Through preliminary processing, an arbitrary value a is secret-shared among subshares a_{0}, a_{1}, a_{2}∈F satisfying a=a_{0}+a_{1}+a_{2}∈F, and an arbitrary value b is secret-shared among subshares b_{0}, b_{1}, b_{2}∈F satisfying b=b_{0}+b_{1}+b_{2}∈F. A storage **111**-P_{1 }of a secure computation apparatus **11**-P_{i }has stored therein subshares a_{+}∈{a_{0}, a_{1}, a_{2}} and b_{+}∈{b_{0}, b_{1}, b_{2}}, and a storage **111**-P_{+} of a secure computation apparatus **11**-P_{+} also has stored therein the subshares a_{+} and b_{+}. The subshare a_{+} is any one element of {a_{0}, a_{1}, a_{2}}, and the subshare b_{+} is any one element of {b_{0}, b_{1}, b_{2}}. The storage **111**-P_{i }of the secure computation apparatus **11**-P_{i }has stored therein subshares a_{−}∈A_{−} and b_{−}∈B_{−}, and a storage **111**-P_{−} of a secure computation apparatus **11**-P_{−} also has stored therein subshares a_{−} and b_{−}. The subshare a_{−} is any one element of A_{−}, and the subshare b_{−} is any one element of B_{−}. Here, A_{−} is a complement of a_{+} in {a_{0}, a_{1}, a_{2}} (A_{−}={a_{0}, a_{1}, a_{2}}|{a_{+}}), and B_{−} is a complement of b_{+} in {b_{0}, b_{1}, b_{2}}(B_{−}={b_{0}, b_{1}, b_{2}}−{b_{+}}). Also, i∈{0, 1, 2} holds, P_{+} is P_{(i+1)mod 3}, and P_{−} is P_{(i−1)mod 3}. In the example of _{0}, a_{1}) and (b_{0}, b_{1}) are stored in the storage **111**-P_{0 }of the secure computation apparatus **11**-P_{0}, subshares (a_{1}, a_{2}) and (b_{1}, b_{2}) are stored in the storage **111**-P_{1 }of the secure computation apparatus **11**-P_{1}, and subshares (a_{2}, a_{0}) and (b_{2}, b_{0}) are stored in the storage **111**-P_{2 }of the secure computation apparatus **11**-P_{2}. Note that (a_{0}, a_{1}), (a_{1}, a_{2}), and (a_{2}, a_{0}) are secret sharing values of a, and (b_{0}, b_{1}), (b_{1}, b_{2}), and (b_{2}, b_{0}) are secret sharing values of b.

<Secure Computation>

On the precondition that this preliminary processing has been performed, each secure computation apparatus **11**-P_{i }(where i∈{0, 1, 2}) performs the following secure computation (

A sharing unit **114**-P_{i }of each secure computation apparatus **11**-P_{i }and a sharing unit **114**-P_{+} of the secure computation apparatus **11**-P_{+} share an arbitrary value r_{+}∈F. That is, the sharing unit **114**-P_{i }and the sharing unit **114**-P_{+} each obtain the same arbitrary value r_{+} as that obtained by the other. The shared arbitrary value r_{+} is stored in the storage **111**-P_{i }and the storage **111**-P_{+}. Examples of the arbitrary value r_{+} include a pseudo random number, a true random number, a value selected from multiple predetermined values, an input value, a value resulting from a separate process, and the like. Sharing of the arbitrary value r_{+} can be done in a known manner. For example, the arbitrary value r_{+} may be shared between the sharing unit **114**-P_{i }and the sharing unit **114**-P_{+} by sending the arbitrary value r_{+} or information for identifying the arbitrary value r_{+} from the sharing unit **114**-P_{i }to the sharing unit **114**-P_{+}. Conversely, the arbitrary value r_{+} may be shared between the sharing unit **114**-P_{i }and the sharing unit **114**-P_{+} by sending the arbitrary value r_{+} or information for identifying the arbitrary value r_{+} from the sharing unit **114**-P_{+} to the sharing unit **114**-P_{i}. The sharing unit **114**-P_{i }and the sharing unit **114**-P_{+} may also share a seed value with each other beforehand and perform predetermined processing using the seed value so that the arbitrary value r_{+} is shared between the sharing unit **114**-P_{i }and the sharing unit **114**-P_{+}. The arbitrary value r_{+} may also be shared between the sharing unit **114**-P_{i }and sharing unit **114**-P_{+} by means of a known key exchange algorithm (step S**11**).

The sharing unit **114**-P_{i }of each secure computation apparatus **11**-P_{i }and the sharing unit **114**-P_{−} of the secure computation apparatus **11**-P_{−} share an arbitrary value r_{−}∈F. That is, the sharing unit **114**-P_{i }and the sharing unit **114**-P_{−} each obtain the same arbitrary value r_{−} as that obtained by the other. The shared arbitrary value r_{−} is stored in the storage **111**-P_{i }and the storage **111**-P_{−}. Examples of the arbitrary value r_{−} include a pseudo random number, a true random number, a value selected from multiple predetermined values, an input value, a value resulting from a separate process, and the like. Sharing of the arbitrary value r_{−} can be done in a known manner. For example, the arbitrary value r_{−} may be shared between the sharing unit **114**-P_{i }and the sharing unit **114**-P_{−} by sending the arbitrary value r_{−} or information for identifying the arbitrary value r_{−} from the sharing unit **114**-P_{i }to the sharing unit **114**-P_{−}. Conversely, the arbitrary value r_{−} may be shared between the sharing unit **114**-P_{i }and the sharing unit **114**-P_{−} by sending the arbitrary value r_{−} or information for identifying the arbitrary value r_{−} from the sharing unit **114**-P_{−} to the sharing unit **114**-P_{i}. Alternatively, the sharing unit **114**-P_{i }and the sharing unit **114**-P_{−} may share a seed value with each other beforehand and perform predetermined processing using the seed value so that the arbitrary value r_{−} is shared between the sharing unit **114**-P_{i }and the sharing unit **114**-P_{−}. The arbitrary value r_{−} may also be shared between the sharing unit **114**-P_{i }and the sharing unit **114**-P_{−} by means of a known key exchange algorithm (step S**12**).

In the example of **11** and S**12**, the sharing unit **114**-P_{0 }and the sharing unit **114**-P_{1 }share an arbitrary value r_{01}∈F, the sharing unit **114**-P_{i }and the sharing unit **114**-P_{2 }share an arbitrary value r_{12}∈F, and the sharing unit **114**-P_{2 }and the sharing unit **114**-P_{0 }share an arbitrary value r_{20}∈F.

An arithmetic unit **112**-P_{i }of each secure computation apparatus **11**-P_{i }uses a_{+}, a_{−}, b_{+}, b_{−}, r_{+}, and r_{−} read from the storage **111**-P_{i }to calculate and output c_{+}=(a_{+}+a_{−})(b_{+}+b_{−})−a_{−}b_{−}+r_{+}−r_{−}∈F. In the example of **112**-P_{0 }of the secure computation apparatus **11**-P_{0 }calculates and outputs c_{1}=(a_{0}+a_{1})(b_{0}+b_{1})−a_{0}b_{0}+r_{01}−r_{20}∈F, an arithmetic unit **112**-P_{1 }of the secure computation apparatus **11**-P_{1 }calculates and outputs c_{2}=(a_{1}+a_{2})(b_{1}+b_{2})−a_{1}b_{1}+r_{12}−r_{01}∈F, and an arithmetic unit **112**-P_{2 }of the secure computation apparatus **11**-P_{2 }calculates and outputs c_{0}=(a_{2}+a_{0})(b_{2}+b_{0})−a_{2}b_{2}+r_{20}−r_{12}∈F (step S**13**).

A communication unit **115**-P_{i }of each secure computation apparatus **11**-P_{1 }transmits c_{+} (outputs c_{+}) to the secure computation apparatus **11**-P_{+} (step S**14**). c_{+} is received by (input to) a communication unit **115**-P_{+} of the secure computation apparatus **11**-P_{+}. Letting c_{−} represent a value calculated by an arithmetic unit **112**-P_{−} of the secure computation apparatus **11**-P_{−} and transmitted from a communication unit **115**-P_{−}, the communication unit **115**-P_{i }of each secure computation apparatus **11**-P_{i }receives c_{−} (step S**15**). In the example of **115**-P_{0 }of the secure computation apparatus **11**-P_{0 }transmits c_{1 }to the secure computation apparatus **11**-P_{1}, and c_{1 }is received by a communication unit **115**-P_{1 }of the secure computation apparatus **11**-P_{1}. The communication unit **115**-P_{1 }of the secure computation apparatus **11**-P_{1 }transmits c_{2 }to the secure computation apparatus **11**-P_{2}, and c_{2 }is received by a communication unit **115**-P_{2 }of the secure computation apparatus **11**-P_{2}. The communication unit **115**-P_{2 }of the secure computation apparatus **11**-P_{2 }transmits c_{0 }to the secure computation apparatus **11**-P_{0}, and c_{0 }is received by the communication unit **115**-P_{0 }of the secure computation apparatus **11**-P_{0 }(steps S**14** and S**15**).

c_{−} received at step S**15** and c_{+} obtained at step S**13** are stored in the storage **111**-P_{i }of each secure computation apparatus **11**-P_{i}. In the example of _{0}, c_{1}) are stored in the storage **111**-P_{0 }of the secure computation apparatus **11**-P_{0}, (c_{1}, c_{2}) are stored in the storage **111**-P_{i }of the secure computation apparatus **11**-P_{1}, and (c_{2}, c_{0}) are stored in the storage **111**-P_{2 }of the secure computation apparatus **11**-P_{2 }(step S**16**).

c_{0}, c_{1}, and c_{2 }in this embodiment are the subshares of the multiplication result ab which satisfies ab=c_{0}+c_{1}+c_{2}∈F, and (c_{0}, c_{1}), (c_{1}, c_{2}), and (c_{2}, c_{0}) are the secret sharing values of the multiplication result ab. Obtaining any two of these secret sharing values (c_{0}, c_{1}), (c_{1}, c_{2}), (c_{2}, c_{0}) allows reconstruction of the multiplication result ab. That is, c_{0}+c_{1}+c_{2}=ab is satisfied. In the example of

(c_{−}, c_{+}) stored in the storage **111**-P_{i }of each secure computation apparatus **11**-P_{i }may be provided as input to a further secure computation apparatus (not shown), or may be provided as input to a reconstruction apparatus (not shown) which reconstructs the multiplication result ab for reconstruction and output of the multiplication result ab.

**Features of this Embodiment**

As shown above, this embodiment allows secure multiplication to be performed with a less number of additions/subtractions and multiplications and a less number of memory accesses compared to the conventional scheme described in Patent Literature 1. More specifically, the conventional scheme described in Patent Literature 1 requires each secure computation apparatus to save, in its memory, values obtained by performing additions/subtractions and multiplications on its own using secret sharing values or the like stored in the memory, to receive values that were obtained at another secure computation apparatus by additions/subtractions and multiplications and save them in the memory, and to further perform additions/subtractions and multiplications using these values saved in the memory. The scheme of Patent Literature 1 accordingly involves large numbers of additions/subtractions and multiplications and memory accesses. In this embodiment, by contrast, values that are obtained by each secure computation apparatus by performing additions/subtractions and multiplications on its own using secret sharing values and the like stored in its memory and values that are obtained at another secure computation apparatus by performing additions/subtractions and multiplication directly become the subshares of an arithmetic result. Thus, it involves a less number of additions/subtractions and multiplications and a less number of memory accesses than the scheme of Patent Literature 1. Particularly in secure computation of high arithmetic speed, the time for memory access creates a bottleneck in the improvement of the overall arithmetic speed. Because the scheme of this embodiment allows reduction in the number of memory accesses, it can significantly improve the arithmetic speed. For example, when calculating c_{XY}=a_{−}b_{+}+a_{+} b_{−}−r_{ZX}, secure multiplication with a conventional technique reads a_{−}, b_{+}, a_{+}, and b_{−} and writes the resulting c_{XY}. This requires execution of two multiplications and two additions/subtractions. Further, when calculating c_{−}=a_{−}b_{−}+c_{ZX}+r_{ZX}, secure multiplication with the conventional technique reads a_{−}, b_{−}, and c_{ZX }and writes c_{−}. This requires execution of one multiplication and three additions/subtractions. Still further, when calculating c_{+}=a_{+} b_{+}+c_{XY}+r_{XY}, secure multiplication with the conventional technique reads a_{+}, b_{+}, and c_{XY }and writes the resulting c_{+}. This requires execution of one multiplication and three additions/subtractions. Consequently, in total, it is necessary to perform ten reading operations, three writing operations, four multiplications, and eight additions/subtractions per party. By contrast, when calculating c_{+}=(a_{+}+a_{−})(b_{+}+b_{−})−a_{−}b_{−}+r_{+}−r_{−}, the secure computation apparatus **10**-P_{i }of this embodiment reads a_{−}, b_{+}, a_{+}, and b_{−} and writes the resulting c_{+}. Thus, in total, only four reading operations, one writing operation, two multiplications, and five additions/subtractions are required per party. Compared to the conventional technique, this embodiment can lessen the number of reading operations to 40%, the number of writing operations to 33%, the number of multiplications to 50%, and the number of additions/subtractions to 63%.

**Second Embodiment**

In a second embodiment, multiply-accumulate a(0)b(0)+ . . . +a(N−1)b(N−1)∈F with arbitrary values a(0), a(N−1) and b(0), b(N−1) is performed by secure computation (secure multiply-accumulate). Here, F represents a finite field and N is a positive integer (for example, an integer greater than 1). This secure multiply-accumulate obtains secret sharing values of a multiply-accumulate result a(0)b(0)+ . . . +a(N−1)b(N−1) from secret sharing values of an arbitrary value a(n) and secret sharing values of an arbitrary value b(n) for n=0, . . . , N−1. This is described in detail below.

<Configuration>

As illustrated in **2** of this embodiment includes three secure computation apparatuses **21**-P_{0}, **21**-P_{1}, **21**-P_{2 }(secure computation apparatuses P_{0}, P_{1}, P_{2}). The secure computation apparatuses **21**-P_{0}, **21**-P_{1}, **21**-P_{2 }are configured to be able to communicate over a communication network, such as the Internet. As illustrated in **21**-P (where P∈{P_{0}, P_{1}, P_{2}}) of this embodiment includes a storage **211**-P (storage and memory), an arithmetic unit **212**-P_{i }a control unit **213**-P_{i }a sharing unit **114**-P_{i }and a communication unit **115**-P. The secure computation apparatus **21**-P executes various kinds of processing under control of the control unit **213**-P and data resulting from the processing is sequentially stored in the storage **211**-P and read out where necessary.

<Preliminary Processing>

Through preliminary processing, an arbitrary value a(n) is secret-shared among subshares a_{0}(n), a_{1}(n), a_{2}(n)∈F satisfying a(n)=a_{0}(n)+a_{1}(n)+a_{2}(n)∈F, and an arbitrary value b(n) is secret-shared among subshares b_{0}(n), b_{1}(n), b_{2}(n)∈F satisfying b(n)=b_{0}(n)+b_{1}(n)+b_{2}(n)∈F, for n=0, . . . , N−1 (where N is a positive integer, for example, N is an integer greater than 1). A storage **211**-P_{i }of a secure computation apparatus **21**-P_{i }has stored therein subshares a_{+}(n)∈{a_{0}(n), a_{1}(n), a_{2}(n)} and b_{+}(n)∈{b_{0}(n), b_{1}(n), b_{2}(n)} for n=0, . . . , N−1, and a storage **211**-P_{+} of a secure computation apparatus **21**-P_{+} also has stored therein the subshares a_{+}(n) and **13**_{+}(n) for n=0, . . . , N−1. Each subshare a_{+}(n) is any one element of {a_{0}(n), a_{1}(n), a_{2}(n)}, and each subshare b_{+}(n) is any one element of {b_{0}(n), b_{1}(n), b_{2}(n)}. The storage **211**-P_{i }of the secure computation apparatus **21**-P_{i }has stored therein subshares a_{−}(n)∈A_{−}(n) and b_{−}(n)∈B_{−}(n) for n=0, . . . , N−1, and a storage **211**-P_{−} of a secure computation apparatus **21**-P_{−} also has stored therein subshares a_{−}(n) and b_{−}(n) for n=0, . . . , N−1. Each subshare a_{−}(n) is any one element of A_{−}(n), and each subshare b_{−}(n) is any one element of B_{−}(n). Here, A_{−}(n) is a complement of a_{+}(n) in {a_{0}(n), a_{1}(n), a_{2}(n)}(A_{−}(n)={a_{0}(n), a_{1}(n), a_{2}(n)}-{a_{+}(n)}), and B_{−}(n) is a complement of b_{+}(n) in {b_{0}(n), b_{1}(n), b_{2}(n)}(B_{−}(n)={b_{0}(n), b_{1}(n), b_{2}(n)}-{b_{+}(n)}). Also, i∈{0, 1, 2} holds, P_{+} is P_{(i+1)mod 3}, and P_{−} is P_{(i−1)mod 3}. In the example of _{0}(n), a_{1}(n)) and (b_{0}(n), b_{1}(n)) for n=0, . . . , N−1 are stored in a storage **211**-P_{0 }of the secure computation apparatus **21**-P_{0}, subshares (a_{1}(n), a_{2}(n)) and (b_{1}(n), b_{2}(n)) for n=0, . . . , N−1 are stored in a storage **211**-P_{i }of the secure computation apparatus **21**-P_{1}, and subshares (a_{2}(n), a_{0}(n)) and (b_{2}(n), b_{0}(n)) for n=0, . . . , N−1 are stored in a storage **211**-P_{2 }of the secure computation apparatus **21**-P_{2}. Note that (a_{0}(n), a_{1}(n)), (a_{1}(n), a_{2}(n)), and (a_{2}(n), a_{0}(n)) are secret sharing values of a(n), and (b_{0}(n), b_{1}(n)), (b_{1}(n), b_{2}(n)), and (b_{2}(n), b_{0}(n)) are secret sharing values of b(n).

<Secure Computation>

On the precondition that this preliminary processing has been performed, each secure computation apparatus **21**-P_{i }(where i∈{0, 1, 2}) performs the following secure computation (

A sharing unit **114**-P_{i }of each secure computation apparatus **21**-P_{i }and a sharing unit **114**-P_{+} of the secure computation apparatus **21**-P_{+} share an arbitrary value r_{+} E F. The shared arbitrary value r_{+} is stored in the storage **211**-P_{i }and the storage **211**-P_{+}. Specific examples of the arbitrary value r_{+} and the process of sharing it were described in the first embodiment (step S**21**).

The sharing unit **114**-P_{i }of each secure computation apparatus **21**-P_{i }and the sharing unit **114**-P_{−} of the secure computation apparatus **21**-P_{−} share an arbitrary value r_{−}∈F. The shared arbitrary value r_{−} is stored in the storage **211**-P_{i }and the storage **211**-P_{−}. Specific examples of the arbitrary value r_{−} and the process of sharing it were described in the first embodiment (step S**22**).

In the example of **21** and S**22**, the sharing unit **114**-P_{0 }and the sharing unit **114**-P_{1 }share an arbitrary value r_{01}∈F, the sharing unit **114**-P_{1 }and the sharing unit **114**-P_{2 }share an arbitrary value r_{12}∈F, and the sharing unit **114**-P_{2 }and the sharing unit **114**-P_{0 }share an arbitrary value r_{20}∈F.

An arithmetic unit **212**-P_{i }of each secure computation apparatus **21**-P_{i }uses a_{+}(n), a_{−}(n), b_{+}(n), b_{−}(n), r_{+}, and r_{−} for n=0, . . . , N−1 read from the storage **211**-P_{i }to calculate and output:

*c*_{+}=Σ_{n=0}^{N-1}{(*a*_{+}(*n*))+*a*_{−}(*n*))(*b*_{+}(*n*)+*b*_{−}(*n*))−*a*_{−}(*n*)*b*_{−}(*n*)+*r*_{+}*−r*_{−}*}∈F *

In the example of **212**-P_{0 }of the secure computation apparatus **21**-P_{0 }calculates and outputs:

*c*_{1}=Σ_{n=0}^{N-1}{(*a*_{0}(*n*))+*a*_{1}(*n*))(*b*_{0}(*n*)+*b*_{1}(*n*))−*a*_{0}(*n*)*b*_{0}(*n*)+*r*_{01}*−r*_{20}*}∈F *

the arithmetic unit **212**-P_{1 }of the secure computation apparatus **21**-P_{i }calculates and outputs:

*c*_{2}=Σ_{n=0}^{N-1}{(*a*_{1}(*n*))+*a*_{2}(*n*))(*b*_{1}(*n*)+*b*_{2}(*n*))−*a*_{1}(*n*)*b*_{1}(*n*)+*r*_{12}*−r*_{01}*}∈F *

and the arithmetic unit **212**-P_{2 }of the secure computation apparatus **21**-P_{2 }calculates and outputs:

*c*_{0}=Σ_{n=0}^{N-1}{(*a*_{2}(*n*))+*a*_{0}(*n*))(*b*_{2}(*n*)+*b*_{0}(*n*))−*a*_{2}(*n*)*b*_{2}(*n*)+*r*_{20}*−r*_{12}*}∈F *

(step S**23**).

A communication unit **115**-P_{i }of each secure computation apparatus **21**-P_{i }transmits c_{+} (outputs c_{+}) to the secure computation apparatus **21**-P_{+} (step S**24**). c_{+} is received by (input to) a communication unit **115**-P_{+} of the secure computation apparatus **21**-P_{+}. Letting c_{−} represent a value calculated by an arithmetic unit **212**-P_{−} of the secure computation apparatus **21**-P_{−} and transmitted from the communication unit **115**-P_{−} the communication unit **115**-P_{i }of each secure computation apparatus **21**-P_{i }receives c_{−} (step S**25**). In the example of **115**-P_{0 }of the secure computation apparatus **21**-P_{0 }transmits c_{1 }to the secure computation apparatus **21**-P_{1}, and c_{1 }is received by a communication unit **115**-P_{i }of the secure computation apparatus **21**-P_{1}. The communication unit **115**-P_{1 }of the secure computation apparatus **21**-P_{1 }transmits c_{2 }to the secure computation apparatus **21**-P_{2}, and c_{2 }is received by a communication unit **115**-P_{2 }of the secure computation apparatus **21**-P_{2}. The communication unit **115**-P_{2 }of the secure computation apparatus **21**-P_{2 }transmits c_{0 }to the secure computation apparatus **21**-P_{0}, and c_{0 }is received by the communication unit **115**-P_{0 }of the secure computation apparatus **21**-P_{0 }(steps S**24** and S**25**).

c_{−} received at step S**25** and c_{+} obtained at step S**23** are stored in the storage **211**-P_{i }of each secure computation apparatus **21**-P_{i}. In the example of _{0}, c_{1}) are stored in the storage **211**-P_{0 }of the secure computation apparatus **21**-P_{0}, (c_{1}, c_{2}) are stored in the storage **211**-P_{1 }of the secure computation apparatus **21**-P_{1}, and (c_{2}, c_{0}) are stored in the storage **211**-P_{2 }of the secure computation apparatus **21**-P_{2 }(step S**16**).

c_{0}, c_{1}, and c_{2 }in this embodiment are the subshares of the multiply-accumulate result a(0)b(0)+ . . . +a(N−1)b(N−1), which satisfies a(0)b(0)+ . . . +a(N−1)b(N−1)=c_{0}+c_{1}+c_{2}∈F. (c_{0}, c_{1}), (c_{1}, c_{2}), and (c_{2}, c_{0}) are the secret sharing values of the multiply-accumulate result a(0)b(0)+ . . . +a(N−1)b(N−1). Obtaining any two of these secret sharing values (c_{0}, c_{1}), (c_{1}, c_{2}), (c_{2}, c_{0}) allows reconstruction of the multiply-accumulate result a(0)b(0)+ . . . +a(N−1)b(N−1). That is, c_{0}+c_{1}+c_{2}=a(0)b(0)+ . . . +a(N−1)b(N−1) is satisfied.

(c_{−}, c_{+}) stored in the storage **211**-P_{i }of each secure computation apparatus **21**-P_{i }may be provided as input to a further secure computation apparatus (not shown), or may be provided as input to a reconstruction apparatus (not shown) which reconstructs the multiply-accumulate result a(0)b(0)+ . . . +a(N−1)b(N−1) for reconstruction and output of the multiply-accumulate result a(0)b(0)+ . . . +a(N−1)b(N−1).

**Features of this Embodiment**

As shown above, this embodiment allows secure multiply-accumulate to be performed with a less number of additions/subtractions and multiplications and a less number of memory accesses compared to the conventional scheme described in Patent Literature 1.

It is to be noted that the present invention is not limited to the foregoing embodiments. For example, the above-described various kinds of processing may be executed, in addition to being executed in chronological order in accordance with the descriptions, in parallel or individually depending on the processing power of an apparatus that executes the processing or when needed. In addition, it goes without saying that changes may be made as appropriate without departing from the spirit of the present invention. Also, the arbitrary value r_{+} in the second embodiment may be r_{+}(n) corresponding to each one of n=0, . . . , N−1, and the arbitrary value r_{−} may be r_{−}(n) corresponding to each one of n=0, . . . , N−1. For instance, in the example of _{01 }may be r_{01}(n)∈F corresponding to each one of n=0, . . . , N−1, and the arbitrary value r_{20 }may be r_{20}(n)∈F corresponding to each one of n=0, . . . , N−1.

The above-described each apparatus is embodied by execution of a predetermined program by a general- or special-purpose computer having a processor (hardware processor) such as a central processing unit (CPU), memories such as random-access memory (RAM) and read-only memory (ROM), and the like, for example. The computer may have one processor and one memory or have multiple processors and memories. The program may be installed on the computer or pre-recorded on the ROM and the like. Also, some or all of the processing units may be embodied using an electronic circuit that implements processing functions without using programs, rather than an electronic circuit (circuitry) that implements functional components by loading of programs like a CPU. An electronic circuit constituting a single apparatus may include multiple CPUs.

When the above-described configurations are implemented by a computer, the processing details of the functions supposed to be provided in each apparatus are described by a program. As a result of this program being executed by the computer, the above-described processing functions are implemented on the computer. The program describing the processing details can be recorded on a computer-readable recording medium. An example of the computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium include a magnetic recording device, an optical disk, a magneto-optical recording medium, and semiconductor memory.

The distribution of this program is performed by, for example, selling, transferring, or lending a portable recording medium such as a DVD or a CD-ROM on which the program is recorded. Furthermore, a configuration may be adopted in which this program is distributed by storing the program in a storage device of a server computer and transferring the program to other computers from the server computer via a network.

The computer that executes such a program first, for example, temporarily stores the program recorded on the portable recording medium or the program transferred from the server computer in a storage device thereof. At the time of execution of processing, the computer reads the program stored in the storage device thereof and executes the processing in accordance with the read program. As another mode of execution of this program, the computer may read the program directly from the portable recording medium and execute the processing in accordance with the program and, furthermore, every time the program is transferred to the computer from the server computer, the computer may sequentially execute the processing in accordance with the received program. A configuration may be adopted in which the transfer of a program to the computer from the server computer is not performed and the above-described processing is executed by so-called application service provider (ASP)-type service by which the processing functions are implemented only by an instruction for execution thereof and result acquisition.

Instead of executing a predetermined program on the computer to implement the processing functions of the present apparatuses, at least some of the processing functions may be implemented by hardware.

**DESCRIPTION OF REFERENCE NUMERALS**

**1**, **2** secure computation system

**11**-P secure computation apparatus

## Claims

1. A secure computation system comprising:

- a secure computation apparatus P0;

- a secure computation apparatus Pi; and

- a secure computation apparatus P2, wherein

- each of the secure computation apparatuses comprising processing circuitry configured to receive, over a network, an input of one or more respective subshares of data a and b, wherein the data a and b is concealed from each of the secure computation apparatuses;

- i∈{0, 1, 2} holds; P+ is P+ is P(i+1)mod 3; P− is P(i−1)mod 3; a and b are arbitrary values; a0, a1, and a2 are subshares satisfying a=a0+a1+a2; b0, b1, and b2 are subshares satisfying b=b0+b1+b2,

- a storage of a secure computation apparatus Pi and a storage of a secure computation apparatus P+ have stored therein subshares a+∈{a0, a1, a2} and b+∈{b0, b1, b2},

- the storage of the secure computation apparatus Pi and a storage of a secure computation apparatus P− have stored therein subshares a−∈A− and b−∈B−, where A− is a complement of a+ in {a0, a1, a2} and B− is a complement of b+ in {b0, b1, b2},

- a sharing unit of the secure computation apparatus Pi and a sharing unit of the secure computation apparatus P+ share an arbitrary value r+, wherein r+∈F,

- the sharing unit of the secure computation apparatus Pi and a sharing unit of the secure computation apparatus P− share an arbitrary value r−, wherein r−∈F,

- an arithmetic unit of the secure computation apparatus Pi calculates c+=(a++a−)(b++b−)−a−b−+r+−r−, wherein c+∈{c0, c1, c2}, and c0+c1+c2=a*b, and

- an output unit of the secure computation apparatus Pi outputs c+ to the secure computation apparatus P+, and c+ is input to an input unit of the secure computation apparatus P+, which results in an exchange process of secure computation apparatus P0 calculating ci and transmitting c1 to secure computation apparatus P1, secure computation apparatus P1 calculating and transmitting c2 to secure computation apparatus P2 and secure computation apparatus P2 calculating c0 and transmitting c0 to secure computation apparatus P0,

- wherein after the exchange process, each of P0, P1, and P2 store a different pair of values among c0, c1, c2.

2. A secure computation system comprising:

- a secure computation apparatus P0;

- a secure computation apparatus P1; and

- a secure computation apparatus P2, wherein

- each of the secret computation apparatuses comprising processing circuitry configured to receive, over a network, an input of one or more respective subshares of data a(n) and b(n), wherein the data a(n) and b(n) is concealed from each of the secret computation apparatuses;

- i∈{0, 1, 2} holds; P+ is P(i+1)mod 3; P− is P(i−1)mod 3; a(n) and b(n) are arbitrary values; a0(n), a1(n), and a2(n) are subshares of a(n) satisfying a(n)=a0(n)+a1(n)+a2(n); b0(n), b1(n), and b2(n) are subshares of b(n) satisfying b(n)=b0(n)+b1(n)+b2(n); and N is a positive integer, where n=0,..., N−1,

- a storage of a secure computation apparatus Pi and a storage of a secure computation apparatus P+ have stored therein subshares a+(n)∈{a0(n), a1(n), a2(n)} and b+(n)∈{b0(n), b1(n), b2(n)},

- the storage of the secure computation apparatus Pi and a storage of a secure computation apparatus P− have stored therein subshares a−(n)∈A−(n) and b−(n)∈B−(n), where A−(n) is a complement of a+(n) in {a0(n), a1(n), a2(n)} and B−(n) is a complement of b+(n) in {b0(n), b1(n), b2(n)},

- a sharing unit of the secure computation apparatus Pi and a sharing unit of the secure computation apparatus P+ share an arbitrary value r+, wherein r+∈F,

- the sharing unit of the secure computation apparatus Pi and a sharing unit of the secure computation apparatus P− share an arbitrary value r−, wherein r−∈F,

- an arithmetic unit of the secure computation apparatus Pi calculates: c+=Σn=0N-1{(a+(n)+a−(n))(b+(n)+b−(n))−a−(n)b−(n)+r+−r−},

- wherein c+{c0, c1, c2}, and c0+c1+c2=a(0)b(0)+... +a(N−1)b(N−1), and

- an output unit of the secure computation apparatus Pi outputs c+ to the secure computation apparatus P+, and c+ is input to an input unit of the secure computation apparatus P+, which results in an exchange process of secure computation apparatus P0 calculating c1 and transmitting c1 to secure computation apparatus P1, secure computation apparatus P1 calculating c2 and transmitting c2 to secure computation apparatus P2 and secure computation apparatus P2 calculating c0 and transmitting c0 to secure computation apparatus P0,

- wherein after the exchange process, each of P0, P1, and P2 store a different pair of values among c0, c1, c7.

3. A secure computation apparatus, wherein

- the secure computation apparatus is one of a plurality of secure computation apparatuses P0, P1, and P2,

- each of the secure computation apparatuses comprising processing circuitry configured to receive, over a network, an input of one or more respective subshares of data a and b, wherein the data a and b is concealed from each of the secure computation apparatuses,

- i∈{0, 1, 2} holds; P+ is P(i−1)mod 3, P− is P(i−1)mod 3, a and b are arbitrary values; a0, a1, and a2 are subshares of a satisfying a=a0+a1+a2, and b0, b1, and b2 are subshares of b satisfying b=b0+b1+b2, and

- the secure computation apparatus includes a storage that stores subshares a+∈{a0, a1, a2} and b+∈{b0, b1, b2} which are stored on a secure computation apparatus P and subshares a−∈A− and b−∈B− which are stored on a secure computation apparatus P− (where A− is a complement of a+ in {a0, a1, a2} and B− is a complement of b+ in {b0, b1, b2}),

- a sharing unit that shares an arbitrary value r+ with the secure computation apparatus P+ and shares an arbitrary value r− with the secure computation apparatus P−, wherein r+∈F and r−∈F, an arithmetic unit that calculates c+=(a++a−)(b++b−)−a−b−r+r−, wherein c+∈{c0, c1, c2}, and c0+c1+c2=a*b, and an output unit that outputs c+ to the secure computation apparatus P+, which results in an exchange process of secure computation apparatus P0 calculating c1 and transmitting c1 to secure computation apparatus P1, secure computation apparatus P1 calculating c2 and transmitting c2 to secure computation apparatus P2 and secure computation apparatus P2 calculating c0 and transmitting c0 to secure computation apparatus P0, wherein after the exchange process, each of P0, P1, and P2 store a different pair of values among c0, c1, c2.

4. A secure computation apparatus, wherein

- the secure computation apparatus is one of a plurality of secure computation apparatuses P0, P1, and P2,

- each of the secure computation apparatuses comprising processing circuitry configured to receive, over a network, an input of one or more respective subshares of data a(n) and b(n), wherein the data a(n) and b(n) is concealed from each of the secure computation apparatuses;

- i∈{0, 1, 2} holds; P+ is P(i+1)mod 3; P− is P(i−1)mod 3; a(n) and b(n) are arbitrary values; a0(n), a1(n), and a2(n) are subshares of a(n) satisfying a(n)=a0(n)+a1(n)+a2(n); and b0(n), b1(n), and b2(n) are subshares of b(n) satisfying b(n)=b0(n)+b1(n)+b2(n), and

- the secure computation apparatus includes a storage that stores subshares a+(n)∈{a0(n), a1(n), a2(n)} and b+(n)∈{b0(n), b1(n), b2(n)} which are stored on a secure computation apparatus P+, and subshares a−(n)∈A−(n) and b−(n)∈B−(n) which are stored on a secure computation apparatus P− (where A−(n) is a complement of a+(n) in {a0(n), a1(n), a2(n)} and B−(n) is a complement of b+(n) in {b0(n), b1(n), b2(n)}), a sharing unit that shares an arbitrary value r+ with the secure computation apparatus P+ and shares an arbitrary value r− with the secure computation apparatus P−, wherein r+∈F and r−∈F, an arithmetic unit that calculates: c+=Σn=0N-1{(a+(n)+a−(n))(b+(n)+b−(n))−a−(n)b−(n)+r+−r−}, wherein c+∈{c0, c1, c2}, and c0+c1+c2=a(0)b(0)+... +a(N−1)b(N−1), and an output unit that outputs to the secure computation apparatus P++, which results in an exchange process of secure computation apparatus P0 calculating c1 and transmitting c1 to secure computation apparatus P1, secure computation apparatus P1 calculating c2 and transmitting c2 to secure computation apparatus P2 and secure computation apparatus P2 calculating c0 and transmitting c0 to secure computation apparatus P0, wherein after the exchange process, each of P0, P1, and P2 store a different pair of values among c0, c1, c7.

5. The secure computation apparatus according to claim 4, wherein the arbitrary value r+ is r+(n) and the arbitrary value r− is r−(n).

6. A computer-readable recording medium storing a program for causing a computer to function as the secure computation apparatus according to claim 3 or 4.

7. A secure computation method implemented by a secure computation apparatus, wherein

- the secure computation apparatus is one of a plurality of secure computation apparatuses P0, P1, and P2,

- each of the secure computation apparatuses comprising processing circuitry configured to receive, over a network, an input of one or more respective subshares of data a and b, wherein the data a and b is concealed from each of the secure computation apparatuses;

- i∈{0, 1, 2} holds; P+ is P(i+1)mod 3; P− is P(i−1)mod 3; a and b are arbitrary values; a0, a1, and a2 are subshares of a satisfying a=a0+a1+a2; and b0, b1, and b2 are subshares of b satisfying b=b0+b1+b2,

- subshares a+∈{a0, a1, a2} and b+∈{b0, b1, b2} stored on a secure computation apparatus P+, and subshares a−∈A− and b−∈B− stored on a secure computation apparatus P− are stored in a storage of a secure computation apparatus Pi, where A− is a complement of a+ in {a0, a1, a2} and B− is a complement of b+ in {b0, b1, b2}, and

- the secure computation method includes a step of sharing, by a sharing unit of the secure computation apparatus Pi, an arbitrary value r+ with the secure computation apparatus P+ and sharing an arbitrary value r− with the secure computation apparatus P−, wherein r+∈F and r−∈F, a step of calculating c+=(a++a−)(b++b−)−a−b−+r+−r− by an arithmetic unit of the secure computation apparatus Pi, wherein c+∈{c0, c1 c2}, and c0+c1+c2=a*b, and a step of outputting c+ to the secure computation apparatus P+ by an output unit of the secure computation apparatus Pi+, which results in an exchange process of secure computation apparatus P0 calculating c1 and transmitting c1 to secure computation apparatus P1, secure computation apparatus P1 calculating c2 and transmitting c2 to secure computation apparatus P2, and secure computation apparatus P2 calculating c0 and transmitting c0 to secure computation apparatus P0, wherein after the exchange process, each of P0, P1, and P2 store a different pair of values among c0, c1, c2.

8. A secure computation method, implemented by a secure computation apparatus, wherein

- each of the secure computation apparatuses comprising processing circuitry configured to receive, over a network, an input of one or more respective subshares of data a(n) and b(n), wherein the data a(n) and b(n) is concealed from each of the secure computation apparatuses;

- i∈{0, 1, 2} holds; P is P(i+1)mod 3; P− is P(i−1)mod 3; a(n) and b(n) are arbitrary values; a0(n), a1 (n), and a2(n) are subshares of a(n) satisfying a(n)=a0(n)+a1(n)+a2(n); and b0(n), b1(n), and b2(n) are subshares of b(n) satisfying b(n)=b0(n)+b1(n)+b2(n),

- subshares a+(n)∈{a0(n), a1(n), a2(n)} and b+(n)∈{b0(n), b1(n), b2(n)} stored on a secure computation apparatus P+, and subshares a−(n)∈A−(n) and b−(n)∈B−(n) stored on a secure computation apparatus P− are stored in a storage of a secure computation apparatus Pi, where A−(n) is a complement of a+(n) in {a0(n), a1(n), a2(n)} and B−(n) is a complement of b+(n) in {b0(n), b1(n), b2(n)}, and

- the secure computation method includes a step of sharing, by a sharing unit of the secure computation apparatus Pi, an arbitrary value r+ with the secure computation apparatus P+ and sharing an arbitrary value r− with the secure computation apparatus P−, wherein r+∈F and r−∈F, a step of calculating, by an arithmetic unit of the secure computation apparatus Pi: c+=Σn=0N-1{(a+(n)+a−(n))(b+(n)+b−(n))−a−(n)b−(n)+r+−r−}, wherein c+∈{c0, c1, c2}, and c0+c1+c2=a(0)b(0)+... +a(N−1)b(N−1), and a step of outputting to the secure computation apparatus P+ by an output unit of the secure computation apparatus Pi, which results in an exchange process of secure computation apparatus P0 calculating c1 and transmitting c1 to secure computation apparatus P1, secure computation apparatus P1 calculating c2 and transmitting c2 to secure computation apparatus P2, and secure computation apparatus P2 calculating c0 and transmitting c0 to secure computation apparatus P0, wherein after the exchange process, each of P0, P1, and P2 store a different pair of values among c0, c1, c2.

**Referenced Cited**

**U.S. Patent Documents**

8085938 | December 27, 2011 | Kagaya |

8719573 | May 6, 2014 | Ran |

9202076 | December 1, 2015 | Chazin |

9449177 | September 20, 2016 | El Defrawy |

9768953 | September 19, 2017 | Bernat |

10116439 | October 30, 2018 | Koike |

10657847 | May 19, 2020 | Hamada |

10721063 | July 21, 2020 | Furukawa |

10972271 | April 6, 2021 | Hamada |

11128452 | September 21, 2021 | Van{hacek over (e)}k |

11200346 | December 14, 2021 | Hamada |

20040179686 | September 16, 2004 | Matsumura |

20080022091 | January 24, 2008 | Deshpande |

20080162646 | July 3, 2008 | Pizano |

20080205637 | August 28, 2008 | Kurihara |

20080232580 | September 25, 2008 | Hosaka |

20100054480 | March 4, 2010 | Schneider |

20100205443 | August 12, 2010 | Zhao |

20100215172 | August 26, 2010 | Schneider |

20120290830 | November 15, 2012 | Resch |

20130114815 | May 9, 2013 | Nishimaki |

20130182836 | July 18, 2013 | Hamada |

20130272521 | October 17, 2013 | Kipnis |

20130304780 | November 14, 2013 | Ikarashi |

20130339728 | December 19, 2013 | Ikarashi |

20140173270 | June 19, 2014 | Matsuo |

20140177825 | June 26, 2014 | Mattsson |

20150213079 | July 30, 2015 | Shukla |

20150372811 | December 24, 2015 | Le Saint |

20160087792 | March 24, 2016 | Smith |

20160210472 | July 21, 2016 | Ikarashi |

20160335440 | November 17, 2016 | Clark |

20170149740 | May 25, 2017 | Mansour |

20170228547 | August 10, 2017 | Smith |

20170310473 | October 26, 2017 | Takiguchi |

20170365192 | December 21, 2017 | Ikarashi |

20180011996 | January 11, 2018 | Dolev |

20180048625 | February 15, 2018 | Teranishi |

20180053442 | February 22, 2018 | Ikarashi |

20180115415 | April 26, 2018 | Teranishi |

20180123780 | May 3, 2018 | Ikarashi |

20180139045 | May 17, 2018 | Furukawa |

20180205707 | July 19, 2018 | Bellala |

20180218650 | August 2, 2018 | Ikarashi |

20180225431 | August 9, 2018 | Ikarashi |

20180375663 | December 27, 2018 | Le Saint |

20190014094 | January 10, 2019 | Le Saint |

20190044697 | February 7, 2019 | Paz de Araujo |

20190109701 | April 11, 2019 | Paz de Araujo |

20190141051 | May 9, 2019 | Ikarashi |

20190156705 | May 23, 2019 | Hamada |

20190163933 | May 30, 2019 | Hamada |

20190212986 | July 11, 2019 | Araki |

20190229904 | July 25, 2019 | Hamada |

20190266326 | August 29, 2019 | Furukawa |

20190310829 | October 10, 2019 | Hamada |

20190333415 | October 31, 2019 | Hamada |

20190349193 | November 14, 2019 | Ikarashi |

20200125724 | April 23, 2020 | Ikarashi |

20200242466 | July 30, 2020 | Mohassel |

20210082319 | March 18, 2021 | Araki |

20210157955 | May 27, 2021 | Araki |

20210334099 | October 28, 2021 | Araki |

20210334100 | October 28, 2021 | Ishizaka |

**Foreign Patent Documents**

6006842 | October 2016 | JP |

**Other references**

- Kikuchi et al., Secret Sharing with Share-Conversion: Achieving Small Share-Size and Extendibility to Multiparty Computation, IEICE Trans. Fundamentals, vol. E98-A, No. 1 Jan. 2015.
- Mohassel et al., Fast and Secure Three-party Computation: The Garbled Circuit Approach, ACM, Oct. 2015.
- International Search Report dated Oct. 2, 2018 in PCT/JP2018/024588 filed on Jun. 28, 2018.

**Patent History**

**Patent number**: 11456862

**Type:**Grant

**Filed**: Jun 28, 2018

**Date of Patent**: Sep 27, 2022

**Patent Publication Number**: 20200213097

**Assignee**: NIPPON TELEGRAPH AND TELEPHONE CORPORATION (Chiyoda-ku)

**Inventors**: Dai Ikarashi (Musashino), Koji Chida (Musashino), Ryo Kikuchi (Musashino)

**Primary Examiner**: David Garcia Cervetti

**Application Number**: 16/624,101

**Classifications**

**Current U.S. Class**:

**Particular Communication Authentication Technique (713/168)**

**International Classification**: H04L 9/08 (20060101); G09C 1/00 (20060101);